Enable Calico application layer policy for Istio
Big picture
Enable Calico application layer network policy in Istio service mesh.
Value
Calico application layer policy lets you enforce application layer attributes like HTTP methods or paths, and cryptographically secure identities for Istio-enabled apps.
Concepts
Mitigate threats with Calico network policy
Although Istio policy is ideal for operational goals, security inside and outside the cluster requires Calico network policy. Calico supports a special integration for Istio, called application layer policy. This policy lets you restrict ingress traffic inside and outside pods, and mitigate common threats to Istio-enabled apps.
For a tutorial on how application layer policy provides second-factor authentication for the mythical Yao Bank, see Enforce network policy using Istio.
Before you begin…
Required
- Calico is installed
- calicoctl is installed and configured
- Kubernetes 1.15 or older (Istio 1.1.7 does not support Kubernetes 1.16+). See this issue for details and workaround.
How to
- Enable application layer policy
- Install Istio
- Update Istio sidecar injector
- Add Calico authorization services to the mesh
- Add namespace labels
Enable application layer policy
To enable the application layer policy, you must enable the Policy Sync API on Felix cluster-wide.
In the default FelixConfiguration, set the field, policySyncPathPrefix to /var/run/nodeagent:
calicoctl patch FelixConfiguration default --patch \
'{"spec": {"policySyncPathPrefix": "/var/run/nodeagent"}}'
Install Istio
- Verify application layer policy requirements.
- Install Istio using the Istio project documentation. Istio can be installed in both strict mode or permissive mode. For example to install Istio in strict mode:
curl -L https://git.io/getLatestIstio | ISTIO_VERSION=1.4.2 sh -
cd $(ls -d istio-*)
./bin/istioctl manifest apply --set values.global.mtls.enabled=true --set values.global.controlPlaneSecurityEnabled=true
Strict mode is suggested when creating a new cluster. Adopting mTLS into an existing deployment is challenging because you need to make sure both client and server are provisioned with certificates at the same time. As a result, Istio provides a mode to take a deployment not using mTLS and gradually enable it without causing outages for clients. Istio permissive mode allows a service to accept both plaintext traffic and mutual TLS traffic at the same time.
Application layer policies work with both Istio in strict or permissive mode. When dealing with mTLS traffic, Calico will cryptographically verify identity while making an authorization decision. When Calico receives plain-text instead, it will fall back on using IP addresses to verify identity.
Update Istio sidecar injector
The sidecar injector automatically modifies pods as they are created to work with Istio. This step modifies the injector configuration to add Dikastes (a Calico component), as sidecar containers.
- Follow the Automatic sidecar injection instructions to install the sidecar injector and enable it in your chosen namespace(s).
- Patch the istio-sidecar-injector
ConfigMapto enable injection of Dikastes alongside Envoy.
curl https://docs.projectcalico.org/manifests/alp/istio-inject-configmap-1.4.2.yaml -o istio-inject-configmap.yaml
kubectl patch configmap -n istio-system istio-sidecar-injector --patch "$(cat istio-inject-configmap.yaml)"
If you installed a different version of Istio, substitute 1.4.2 in the above URL for your Istio version. We have predefined ConfigMaps for Istio versions 1.1.0 through 1.1.17, 1.2.0 through 1.2.9, 1.3.0 through 1.3.5, and 1.4.0 through 1.4.2. To customize the standard sidecar injector ConfigMap or understand the changes we have made, see Customizing the manifests.
Add Calico authorization services to the mesh
Apply the following manifest to configure Istio to query Calico for application layer policy authorization decisions.
kubectl apply -f https://docs.projectcalico.org/manifests/alp/istio-app-layer-policy.yaml
Add namespace labels
You can control enforcement of application layer policy on a per-namespace basis. However, this only works on pods that are started with the Envoy and Calico Dikastes sidecars (as noted in the step, Update Istio sidecar injector). Pods that do not have the Calico sidecars, enforce only standard Calico network policy.
To enable Istio and application layer policy in a namespace, add the label istio-injection=enabled.
kubectl label namespace <your namespace name> istio-injection=enabled
If the namespace already has pods in it, you must recreate them for this to take effect.
Note: Envoy must be able to communicate with the
istio-pilot.istio-system service. If you apply any egress policies to your pods, you must enable access. For example, you could apply a network policy.